SM
Uploaded bySylvain Martinez
PDF, PPTX996 views

INCIDENT RESPONSE OVERVIEW

This document provides an overview of incident response procedures, including the incident response life cycle of detection, categorization, containment, investigation, remediation, reporting, and learnings. It outlines roles and responsibilities, communication processes, and generic response playbooks. Resources for incident response frameworks and standards are also referenced.

Technology
Related topics:
Cyber-Security

Embed presentation

Download as PDF, PPTX
INCIDENT RESPONSE OVERVIEW VERSION: 1.3a DATE: 27/03/2019 AUTHOR: SYLVAIN MARTINEZ REFERENCE: ESC15-MUSCL CLASSIFICATION: PUBLIC {elysiumsecurity} cyber protection & response
2 • Incident Response Overview; • Incident Response Life Cycle; • Rules of Engagement; • 1. Detection; • 2. Categorisation; • 3. Containment; • 4. Investigation; • 5. Remediation; • 6. Reporting; • 7. Learnings. • Generic Response Playbook; • Resources. CONTENTS PUBLIC GOING FURTHERRESPONSECONTEXT {elysiumsecurity} cyber protection & response
3 THE GOAL OF INCIDENT RESPONSE IS TO FIRST CONTAIN THE THREAT, THEN REMEDIATE IT AND RECOVER FROM IT. EFFICIENT INCIDENT RESPONSE RELIES ON ITS INCIDENT MANAGEMENT FRAMEWORK: • CATEGORIES; • ROLES; • RESPONSABILITIES; • COMMUNICATION; • COORDINATION; • PLAYBOOKS; • SIMULATIONS; • ETC. PUBLIC {elysiumsecurity} cyber protection & response INCIDENT RESPONSE OVERVIEW GOING FURTHERRESPONSECONTEXT
4 1. DETECTION 2. CATEGORISATION 3. CONTAINMENT 4. INVESTIGATION5. REMEDIATION 6. REPORTING 7. LEARNINGS PUBLIC {elysiumsecurity} cyber protection & response INCIDENT RESPONSE LIFE CYCLE GOING FURTHERRESPONSECONTEXT
5 DO NOT ENGAGE OR INTERACT WITH THE HACKER/THREAT GROUP DO NOT CONNECT TO THE THREAT’S RELATED NETWORK(S) FROM YOUR ORGANISATION PRESERVE EVIDENCE COORDINATE INTERNAL AND EXTERNAL COMMUNICATION WITH MANAGEMENT ALL INCIDENT DETAILS MUST BE TREATED AS CONFIDENTIAL DO NOT MAKE THINGS WORSE! PUBLIC 1 2 3 4 5 {elysiumsecurity} cyber protection & response 0. RULES OF ENGAGEMENT GOING FURTHERRESPONSECONTEXT
6 WHO/WHAT DETECTED/REPORTED THE THREAT? WHAT IS THE DATE AND TIME OF THE THREAT DETECTION/REPORT? HOW WAS THE THREAT DETECTED/REPORTED? HAS A SIMILAR THREAT ALREADY BEEN REPORTED? IS THE THREAT VALID? PUBLIC 1 2 3 4 5 {elysiumsecurity} cyber protection & response 1. DETECTION GOING FURTHERRESPONSECONTEXT
7 WHO/WHAT IS THE TARGET OF THE THREAT? IS THIS AN ON GOING/LIVE THREAT? WHAT IS THE IMPACT OF THE THREAT? CATEGORISE THE PRIORITY OF THE INCIDENT (P1, P2, P3) CLASSIFY THE INCIDENT COMMUNICATION (RESTRICTED/UNRESTRICTED) PUBLIC 1 2 3 4 5 DECLARE AN INCIDENT… OR NOT! {elysiumsecurity} cyber protection & response 2. CATEGORISATION GOING FURTHERRESPONSECONTEXT
8 COORDINATE INCIDENT MANAGEMENT (TEAM, COMMS, ACTIVITIES, DOCUMENTATION) LIGHT AND QUICK THREAT ANALYSIS (NETWORK, HOST, USER) IDENTIFY MAIN ATTACK AND COMPROMISE VECTORS (IP, PORTS, SIGNATURES, EMAIL, ETC) ISOLATE THE TARGETED ASSET (REMOVE FROM NETWORK, DISABLE ACCOUNT, ETC) IMPLEMENT EMERGENCY CHANGES AS REQUIRED (NETWORK, HOST, USER) PUBLIC 1 2 3 4 5 {elysiumsecurity} cyber protection & response 3. CONTAINMENT GOING FURTHERRESPONSECONTEXT
9 THREAT NETWORK ANALYSIS (F/W, CLOUD APP LOGS, ASSET LOGS, INTERCEPTED TRAFFIC, TRAFFIC AND DATA FLOWS, SIEM) THREAT MALWARE ANALYSIS (A/V VENDORS, FOOTPRINT, BEHAVIOR, REVERSE ENGINEERING) THREAT HOST ANALYSIS (EVENT LOGS, APP/PLUGINS INSTALLED, AD/EMAIL ACTIVITIES, AUTHENTICATED VA TO BE DONE, SIEM) THREAT USER ANALYSIS (INTERVIEW TARGETED USER, CONTEXT, TRIGGERS, RECENT UNUSUAL ACTIVITIES/ALERTS) THREAT RESEARCH ANALYSIS (ONLINE SEARCH FOR SIMILAR THREATS, PROFESSIONAL FORUMS, VENDOR ENGAGEMENT) PUBLIC 1 2 3 4 5 {elysiumsecurity} cyber protection & response 4. INVESTIGATION GOING FURTHERRESPONSECONTEXT
10 THREAT NETWORK REMEDIATION (BLOCK IP, PORTS, DOMAINS, EMAILS. UPDATE F/W, IDS, APT AND SIEM RULES) THREAT MALWARE REMEDIATION (UPDATE HOST AND NETWORK A/V SIGNATURES. ENGAGE WITH VENDORS THAT DID NOT DETECT THE THREAT) THREAT HOST REMEDIATION (REMOVE/BAN INFECTED APPS/PLUGINS, CLEAR INBOX RULES, REMEDIATE ISSUES FOUND DURING THE VA) THREAT USER REMEDIATION (INDIVIDUAL AND GROUP USER AWARENESS SESSION RELEVANT TO THE THREAT) DECLARE THE INCIDENT REMEDIATED PUBLIC 1 2 3 4 5 {elysiumsecurity} cyber protection & response 5. REMEDIATION GOING FURTHERRESPONSECONTEXT
11 ON GOING REPORTING (DOCUMENTATION AND EVIDENCE SHOULD BE GENERATED AS MUCH AS POSSIBLE DURING THE PREVIOUS PHASES) EVIDENCE GATHERING (THREAT ACTORS, ATTACK VECTORS, ATTACK SURFACE) INCIDENT DOCUMENTATION (THREAT AND INCIDENT DETAILS, TRIGGERS, OWNER, FINDINGS, TIMELINE) INCIDENT REGISTER (CREATE/UPDATE AN OVERALL INCIDENT REGISTER TO TRACK PROGRESS AND GENERATES STATISTICS. CAN BE LINKED TO OTHER REGISTERS: RISKs/ISSUES) INCIDENT REPORT COMMUNICATION (AS REQUIRED: INTERNAL/EXTERNAL, STAFF/MANAGEMENT/BOARD, VENDORS/CLIENTS, GOVERNMENT/REGULATORS) PUBLIC 1 2 3 4 5 {elysiumsecurity} cyber protection & response 6. REPORTING GOING FURTHERRESPONSECONTEXT
12 ROOT CAUSE ANALYSIS (IDENTIFY AND DOCUMENT INCIDENT TRIGGERS AND SECURITY GAPS THAT ENABLED THE INCIDENT TO OCCUR) CONTROLS AND PROCESSES READINESS (EVALUATE THE EFFICIENCY OF CURRENT SECURITY CONTROLS AND PROCESSES IN LIGHT OF THE INCIDENT) INCIDENT TRENDS ANALYSIS (ARE YOU LEARNING FROM PAST INCIDENTS? IS YOUR RISK PROFILE CHANGING?) MITIGATION PLAN (MITIGATE IMPACT OF SIMILAR FUTURE INCIDENTS) IMPROVEMENTS PLAN (STOP OCCURRENCE OF SIMILAR FUTURE INCIDENTS) PUBLIC 1 2 3 4 5 {elysiumsecurity} cyber protection & response 7. LEARNINGS GOING FURTHERRESPONSECONTEXT
13 ANALYSIS PUBLIC CONTAINMENT/REMEDIATION NETWORK • BLOCK IP/PORTS/SERVICES; • BLOCK EMAIL; • CHANGE PWD MALWARE HOST • UPDATE A/V AND F/W RULES; • REMOVE MALWARE/SERVICES; • CHANGE PWD. • REMOVE SOFTWARE/PLUGIN; • UPDATE SECURITY CONFIGURATION; REMOVE SERVICES/LOCAL ADMIN. {elysiumsecurity} cyber protection & response GENERIC RESPONSE PLAYBOOK GOING FURTHERRESPONSECONTEXT
14 Forum of Incident Response and Security Teams (FIRST) FRAMEWORK (https://www.first.org/education/FIRST_SIRT_Services_Framework_Version1.0.pdf) National Institute of Standards and Technology (NIST) Special Procedure (SP) 800-61 (https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-61r2.pdf) International Organization for Standardization (ISO) ISO/IEC 27035-1:2016 (https://www.iso.org/standard/60803.html) International Organization for Standardization (ISO) ISO/IEC 27035-2:2016 (https://www.iso.org/standard/62071.html?browse=tc) CONTACT US! (contact@elysiumsecurity.com) PUBLIC {elysiumsecurity} cyber protection & response RESOURCES GOING FURTHERRESPONSECONTEXT
{elysiumsecurity} cyber protection & response © 2015-2019 ELYSIUMSECURITY LTD ALL RIGHTS RESERVED HTTPS://WWW.ELYSIUMSECURITY.COM ABOUT ELYSIUMSECURITY LTD. ELYSIUMSECURITY PROVIDES PRACTICAL EXPERTISE TO IDENTIFY VULNERABILITIES, ASSESS THEIR RISKS AND IMPACT, REMEDIATE THOSE RISKS, PREPARE AND RESPOND TO INCIDENTS AS WELL AS RAISE SECURITY AWARENESS THROUGH AN ORGANIZATION. ELYSIUMSECURITY PROVIDES HIGH LEVEL EXPERTISE GATHERED THROUGH YEARS OF BEST PRACTICES EXPERIENCE IN LARGE INTERNATIONAL COMPANIES ALLOWING US TO PROVIDE ADVICE BEST SUITED TO YOUR BUSINESS OPERATIONAL MODEL AND PRIORITIES. ELYSIUMSECURITY PROVIDES A PORTFOLIO OF STRATEGIC AND TACTICAL SERVICES TO HELP COMPANIES PROTECT AND RESPOND AGAINST CYBER SECURITY THREATS. WE DIFFERENTIATE OURSELVES BY OFFERING DISCREET, TAILORED AND SPECIALIZED ENGAGEMENTS. ELYSIUMSECURITY OPERATES IN MAURITIUS AND IN EUROPE, A BOUTIQUE STYLE APPROACH MEANS WE CAN EASILY ADAPT TO YOUR BUSINESS OPERATIONAL MODEL AND REQUIREMENTS TO PROVIDE A PERSONALIZED SERVICE THAT FITS YOUR WORKING ENVIRONMENT.

More Related Content

PPT
cyber security incident exercises TTX .ppt
byZharfanHanif
 
PDF
INCIDENT RESPONSE NIST IMPLEMENTATION
bySylvain Martinez
 
PPTX
Incident response
byAnshul Gupta
 
PPTX
Introduction to Incident Response Management
byDon Caeiro
 
PDF
PwC Point of View on Cybersecurity Management
byCA Technologies
 
PDF
INCIDENT RESPONSE CONCEPTS
bySylvain Martinez
 
DOCX
Cyber+incident+response+ +generic+ransomware+playbook+v2.3
byUnioGeek
 
PDF
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
byWAJAHAT IQBAL
 
cyber security incident exercises TTX .ppt
byZharfanHanif
 
INCIDENT RESPONSE NIST IMPLEMENTATION
bySylvain Martinez
 
Incident response
byAnshul Gupta
 
Introduction to Incident Response Management
byDon Caeiro
 
PwC Point of View on Cybersecurity Management
byCA Technologies
 
INCIDENT RESPONSE CONCEPTS
bySylvain Martinez
 
Cyber+incident+response+ +generic+ransomware+playbook+v2.3
byUnioGeek
 
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
byWAJAHAT IQBAL
 

What's hot

PPT
Application Security
byReggie Niccolo Santos
 
PDF
Application Security - Your Success Depends on it
byWSO2
 
PDF
MITRE ATT&CK Framework
byn|u - The Open Security Community
 
PDF
Threat Hunting Report
byMorane Decriem
 
PDF
Threat-Based Adversary Emulation with MITRE ATT&CK
byKatie Nickels
 
PPTX
Cybersecurity Attack Vectors: How to Protect Your Organization
byTriCorps Technologies
 
PPTX
Cyber Security 101: Training, awareness, strategies for small to medium sized...
byStephen Cobb
 
PPTX
Cyber kill chain
byAnkita Ganguly
 
PPTX
Cyber Threat Hunting Workshop
byDigit Oktavianto
 
PPTX
Threat hunting - Every day is hunting season
byBen Boyd
 
PDF
How to Hunt for Lateral Movement on Your Network
bySqrrl
 
PPTX
Effective Threat Hunting with Tactical Threat Intelligence
byDhruv Majumdar
 
PDF
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
byChris Gates
 
PDF
Threat Hunting
bySplunk
 
PDF
Cybersecurity Awareness Training Presentation v1.3
byDallasHaselhorst
 
PDF
Global Cyber Threat Intelligence
byNTT Innovation Institute Inc.
 
PDF
Threat Modelling
byn|u - The Open Security Community
 
PPT
Application Security
byflorinc
 
PPTX
Threat Hunting with Splunk
bySplunk
 
PDF
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
byJorge Orchilles
 
Application Security
byReggie Niccolo Santos
 
Application Security - Your Success Depends on it
byWSO2
 
MITRE ATT&CK Framework
byn|u - The Open Security Community
 
Threat Hunting Report
byMorane Decriem
 
Threat-Based Adversary Emulation with MITRE ATT&CK
byKatie Nickels
 
Cybersecurity Attack Vectors: How to Protect Your Organization
byTriCorps Technologies
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
byStephen Cobb
 
Cyber kill chain
byAnkita Ganguly
 
Cyber Threat Hunting Workshop
byDigit Oktavianto
 
Threat hunting - Every day is hunting season
byBen Boyd
 
How to Hunt for Lateral Movement on Your Network
bySqrrl
 
Effective Threat Hunting with Tactical Threat Intelligence
byDhruv Majumdar
 
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
byChris Gates
 
Threat Hunting
bySplunk
 
Cybersecurity Awareness Training Presentation v1.3
byDallasHaselhorst
 
Global Cyber Threat Intelligence
byNTT Innovation Institute Inc.
 
Threat Modelling
byn|u - The Open Security Community
 
Application Security
byflorinc
 
Threat Hunting with Splunk
bySplunk
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
byJorge Orchilles
 

Similar to INCIDENT RESPONSE OVERVIEW

PDF
OFFENSIVE IDS
bySylvain Martinez
 
PPTX
incedint respvggfffffgddfghonse life.pptx
byMohamedHany892810
 
PPTX
Tsc2021 cyber-issues
byErnest Staats
 
PPTX
chapter on Incident Response Management.
bySuhail Qadir Mir
 
PDF
Ch5-Incident Response Management.pdfncident Response Management.
bySuhail Qadir Mir
 
PDF
INTRODUCTION TO CYBER FORENSICS
bySylvain Martinez
 
PPTX
Navigating Cybersecurity Incidents in 2025
bywininlifeacademy5
 
PDF
Navigating-Cybersecurity-Incidents-in-2025.pptx.pdf
byWin In Life Academy
 
PPTX
KSS ON CYBERSECURITY INCIDENT RESPONSE AND PLANNING MANAGEMENT.pptx
byCashmir Pangandaman
 
PDF
Cybersecurity Incident Response Planning.pdf
byCiente
 
PPTX
You Will Be Breached
byMike Saunders
 
PDF
Craft Your Cyber Incident Response Plan (Before It's Too Late)
byResilient Systems
 
PPTX
Incident Response Lifecycle - Assignment 2 - Judd Nikolai Rosayaga.pptx
byMohammadRafsunIslam
 
PPTX
Ch2-Incident Response Process.pptxIncident Response Process
bySuhail Qadir Mir
 
PPTX
INCIDENT-RESPONSE_093004 (1).pdtffyghgptx
byjess12castano
 
PDF
YBB-NW-distribution
byMike Saunders
 
DOCX
Cyber+Capability+Toolkit+-+Cyber+Incident+Response+-+Cyber+Incident+Response+...
byMaoTseTungBritoSilva1
 
PDF
Practical Guide to Managing Incidents Using LLM's and NLP.pdf
byChris Galvan
 
PPTX
Incident Response: Validation, Containment & Forensics
byPriyanka Aash
 
PPTX
IAEM cybersecurity 101
bySarah K Miller
 
OFFENSIVE IDS
bySylvain Martinez
 
incedint respvggfffffgddfghonse life.pptx
byMohamedHany892810
 
Tsc2021 cyber-issues
byErnest Staats
 
chapter on Incident Response Management.
bySuhail Qadir Mir
 
Ch5-Incident Response Management.pdfncident Response Management.
bySuhail Qadir Mir
 
INTRODUCTION TO CYBER FORENSICS
bySylvain Martinez
 
Navigating Cybersecurity Incidents in 2025
bywininlifeacademy5
 
Navigating-Cybersecurity-Incidents-in-2025.pptx.pdf
byWin In Life Academy
 
KSS ON CYBERSECURITY INCIDENT RESPONSE AND PLANNING MANAGEMENT.pptx
byCashmir Pangandaman
 
Cybersecurity Incident Response Planning.pdf
byCiente
 
You Will Be Breached
byMike Saunders
 
Craft Your Cyber Incident Response Plan (Before It's Too Late)
byResilient Systems
 
Incident Response Lifecycle - Assignment 2 - Judd Nikolai Rosayaga.pptx
byMohammadRafsunIslam
 
Ch2-Incident Response Process.pptxIncident Response Process
bySuhail Qadir Mir
 
INCIDENT-RESPONSE_093004 (1).pdtffyghgptx
byjess12castano
 
YBB-NW-distribution
byMike Saunders
 
Cyber+Capability+Toolkit+-+Cyber+Incident+Response+-+Cyber+Incident+Response+...
byMaoTseTungBritoSilva1
 
Practical Guide to Managing Incidents Using LLM's and NLP.pdf
byChris Galvan
 
Incident Response: Validation, Containment & Forensics
byPriyanka Aash
 
IAEM cybersecurity 101
bySarah K Miller
 

More from Sylvain Martinez

PDF
PROGRAMMING AND CYBER SECURITY
bySylvain Martinez
 
PDF
INTRODUCTION TO CRYPTOGRAPHY
bySylvain Martinez
 
PDF
DATA LOSS PREVENTION OVERVIEW
bySylvain Martinez
 
PDF
2019 CYBER SECURITY TRENDS REPORT REVIEW
bySylvain Martinez
 
PDF
PHISHING PROTECTION
bySylvain Martinez
 
PDF
VIRTUAL CISO AND OTHER KEY CYBER ROLES
bySylvain Martinez
 
PDF
IOT Security
bySylvain Martinez
 
PDF
ARE YOU RED TEAM READY?
bySylvain Martinez
 
PPTX
GDPR SECURITY ISSUES
bySylvain Martinez
 
PDF
Mobile Security Assessment
bySylvain Martinez
 
PDF
The Art of CTF
bySylvain Martinez
 
PDF
OFFICE 365 SECURITY
bySylvain Martinez
 
PDF
Risk on Crypto Currencies
bySylvain Martinez
 
PDF
Talk1 esc7 muscl-gdpr_debate_v1_2
bySylvain Martinez
 
PDF
Talk1 esc7 muscl-dataprotection_v1_2
bySylvain Martinez
 
PPTX
Ethical Hacking
bySylvain Martinez
 
PDF
INCIDENT HANDLING IN ORGANISATIONS
bySylvain Martinez
 
PDF
SOCIAL MEDIA AS A CYBER WEAPON
bySylvain Martinez
 
PDF
Talk2 esc4 muscl-ids_v1_2
bySylvain Martinez
 
PDF
Talk1 esc3 muscl-standards and regulation_v1_1
bySylvain Martinez
 
PROGRAMMING AND CYBER SECURITY
bySylvain Martinez
 
INTRODUCTION TO CRYPTOGRAPHY
bySylvain Martinez
 
DATA LOSS PREVENTION OVERVIEW
bySylvain Martinez
 
2019 CYBER SECURITY TRENDS REPORT REVIEW
bySylvain Martinez
 
PHISHING PROTECTION
bySylvain Martinez
 
VIRTUAL CISO AND OTHER KEY CYBER ROLES
bySylvain Martinez
 
IOT Security
bySylvain Martinez
 
ARE YOU RED TEAM READY?
bySylvain Martinez
 
GDPR SECURITY ISSUES
bySylvain Martinez
 
Mobile Security Assessment
bySylvain Martinez
 
The Art of CTF
bySylvain Martinez
 
OFFICE 365 SECURITY
bySylvain Martinez
 
Risk on Crypto Currencies
bySylvain Martinez
 
Talk1 esc7 muscl-gdpr_debate_v1_2
bySylvain Martinez
 
Talk1 esc7 muscl-dataprotection_v1_2
bySylvain Martinez
 
Ethical Hacking
bySylvain Martinez
 
INCIDENT HANDLING IN ORGANISATIONS
bySylvain Martinez
 
SOCIAL MEDIA AS A CYBER WEAPON
bySylvain Martinez
 
Talk2 esc4 muscl-ids_v1_2
bySylvain Martinez
 
Talk1 esc3 muscl-standards and regulation_v1_1
bySylvain Martinez
 

Recently uploaded

PDF
Self-Correction Failure Diagnostic: Detecting Drift in Complex Systems
bySystems Research Group
 
PDF
Title Installing Windows, Linux, MacOS.pdf
byGeraldAbadajos
 
PPTX
Computer architecture, Computer architecture ,Computer architecture
bywaheedqazi123
 
PDF
Analyze and Preserve Logs - RHCSA (RH134).pdf
byLinuxCert Guru
 
PDF
GenerationAI Paris 2025 | City of Light (COL)
byapidays
 
PDF
AI for Risk Management & Fraud Detection ppt.pdf
byalexmartincaneda
 
PPTX
TravelTech Paris 2025 | Beyond the pipes: Why Channel Management isn’t really...
byapidays
 
PDF
CI CD Observability, Metrics and DORA - Shifting Left and Cleaning Up! - Febr...
byPeter Souter
 
PDF
Designing a Blog Using Wordpress
bymarkzubi50
 
PDF
Python Automation in Action: Real-World Use Cases and Practical Implementation
byDenys Smirnov
 
PDF
Chapter 4 Network Security in computer security
byGetnet Tigabie Askale -(GM)
 
PPTX
TechSprint Inauguration at SJB Institute of Technology held on 18 December 2025
bysuhasspgdg
 
PPTX
Introduction to Artificial Intelligence (AI).pptx
byammar414783
 
PPTX
apidays Paris 2025 | Integration is Feminist: Building Peace in Distributed S...
byapidays
 
PPTX
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
PDF
Supercharge Your Copilot-Driven Collaboration with Microsoft 365 Agents SDK
byAntti Koskela
 
PPTX
WEEK 1-introduction of industrial arts grade 7.pptx
byrosierufinomaliongan
 
PDF
Rustici Software: eLearning standards in the age of AI
byRustici Software
 
PPTX
How Does an ICO Launchpad Work Step-by-Step Breakdown.pptx
byTom Hardy S
 
PPTX
TechSprint (SJBIT) 2025-26 Hackathon Winners & Awards Ceremony
bysuhasspgdg
 
Self-Correction Failure Diagnostic: Detecting Drift in Complex Systems
bySystems Research Group
 
Title Installing Windows, Linux, MacOS.pdf
byGeraldAbadajos
 
Computer architecture, Computer architecture ,Computer architecture
bywaheedqazi123
 
Analyze and Preserve Logs - RHCSA (RH134).pdf
byLinuxCert Guru
 
GenerationAI Paris 2025 | City of Light (COL)
byapidays
 
AI for Risk Management & Fraud Detection ppt.pdf
byalexmartincaneda
 
TravelTech Paris 2025 | Beyond the pipes: Why Channel Management isn’t really...
byapidays
 
CI CD Observability, Metrics and DORA - Shifting Left and Cleaning Up! - Febr...
byPeter Souter
 
Designing a Blog Using Wordpress
bymarkzubi50
 
Python Automation in Action: Real-World Use Cases and Practical Implementation
byDenys Smirnov
 
Chapter 4 Network Security in computer security
byGetnet Tigabie Askale -(GM)
 
TechSprint Inauguration at SJB Institute of Technology held on 18 December 2025
bysuhasspgdg
 
Introduction to Artificial Intelligence (AI).pptx
byammar414783
 
apidays Paris 2025 | Integration is Feminist: Building Peace in Distributed S...
byapidays
 
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
Supercharge Your Copilot-Driven Collaboration with Microsoft 365 Agents SDK
byAntti Koskela
 
WEEK 1-introduction of industrial arts grade 7.pptx
byrosierufinomaliongan
 
Rustici Software: eLearning standards in the age of AI
byRustici Software
 
How Does an ICO Launchpad Work Step-by-Step Breakdown.pptx
byTom Hardy S
 
TechSprint (SJBIT) 2025-26 Hackathon Winners & Awards Ceremony
bysuhasspgdg
 

INCIDENT RESPONSE OVERVIEW

  • 1.
    INCIDENT RESPONSE OVERVIEW VERSION: 1.3a DATE:27/03/2019 AUTHOR: SYLVAIN MARTINEZ REFERENCE: ESC15-MUSCL CLASSIFICATION: PUBLIC {elysiumsecurity} cyber protection & response
  • 2.
    2 • Incident Response Overview; •Incident Response Life Cycle; • Rules of Engagement; • 1. Detection; • 2. Categorisation; • 3. Containment; • 4. Investigation; • 5. Remediation; • 6. Reporting; • 7. Learnings. • Generic Response Playbook; • Resources. CONTENTS PUBLIC GOING FURTHERRESPONSECONTEXT {elysiumsecurity} cyber protection & response
  • 3.
    3 THE GOAL OFINCIDENT RESPONSE IS TO FIRST CONTAIN THE THREAT, THEN REMEDIATE IT AND RECOVER FROM IT. EFFICIENT INCIDENT RESPONSE RELIES ON ITS INCIDENT MANAGEMENT FRAMEWORK: • CATEGORIES; • ROLES; • RESPONSABILITIES; • COMMUNICATION; • COORDINATION; • PLAYBOOKS; • SIMULATIONS; • ETC. PUBLIC {elysiumsecurity} cyber protection & response INCIDENT RESPONSE OVERVIEW GOING FURTHERRESPONSECONTEXT
  • 4.
    4 1. DETECTION 2. CATEGORISATION 3. CONTAINMENT 4.INVESTIGATION5. REMEDIATION 6. REPORTING 7. LEARNINGS PUBLIC {elysiumsecurity} cyber protection & response INCIDENT RESPONSE LIFE CYCLE GOING FURTHERRESPONSECONTEXT
  • 5.
    5 DO NOT ENGAGEOR INTERACT WITH THE HACKER/THREAT GROUP DO NOT CONNECT TO THE THREAT’S RELATED NETWORK(S) FROM YOUR ORGANISATION PRESERVE EVIDENCE COORDINATE INTERNAL AND EXTERNAL COMMUNICATION WITH MANAGEMENT ALL INCIDENT DETAILS MUST BE TREATED AS CONFIDENTIAL DO NOT MAKE THINGS WORSE! PUBLIC 1 2 3 4 5 {elysiumsecurity} cyber protection & response 0. RULES OF ENGAGEMENT GOING FURTHERRESPONSECONTEXT
  • 6.
    6 WHO/WHAT DETECTED/REPORTED THE THREAT? WHATIS THE DATE AND TIME OF THE THREAT DETECTION/REPORT? HOW WAS THE THREAT DETECTED/REPORTED? HAS A SIMILAR THREAT ALREADY BEEN REPORTED? IS THE THREAT VALID? PUBLIC 1 2 3 4 5 {elysiumsecurity} cyber protection & response 1. DETECTION GOING FURTHERRESPONSECONTEXT
  • 7.
    7 WHO/WHAT IS THETARGET OF THE THREAT? IS THIS AN ON GOING/LIVE THREAT? WHAT IS THE IMPACT OF THE THREAT? CATEGORISE THE PRIORITY OF THE INCIDENT (P1, P2, P3) CLASSIFY THE INCIDENT COMMUNICATION (RESTRICTED/UNRESTRICTED) PUBLIC 1 2 3 4 5 DECLARE AN INCIDENT… OR NOT! {elysiumsecurity} cyber protection & response 2. CATEGORISATION GOING FURTHERRESPONSECONTEXT
  • 8.
    8 COORDINATE INCIDENT MANAGEMENT (TEAM,COMMS, ACTIVITIES, DOCUMENTATION) LIGHT AND QUICK THREAT ANALYSIS (NETWORK, HOST, USER) IDENTIFY MAIN ATTACK AND COMPROMISE VECTORS (IP, PORTS, SIGNATURES, EMAIL, ETC) ISOLATE THE TARGETED ASSET (REMOVE FROM NETWORK, DISABLE ACCOUNT, ETC) IMPLEMENT EMERGENCY CHANGES AS REQUIRED (NETWORK, HOST, USER) PUBLIC 1 2 3 4 5 {elysiumsecurity} cyber protection & response 3. CONTAINMENT GOING FURTHERRESPONSECONTEXT
  • 9.
    9 THREAT NETWORK ANALYSIS (F/W,CLOUD APP LOGS, ASSET LOGS, INTERCEPTED TRAFFIC, TRAFFIC AND DATA FLOWS, SIEM) THREAT MALWARE ANALYSIS (A/V VENDORS, FOOTPRINT, BEHAVIOR, REVERSE ENGINEERING) THREAT HOST ANALYSIS (EVENT LOGS, APP/PLUGINS INSTALLED, AD/EMAIL ACTIVITIES, AUTHENTICATED VA TO BE DONE, SIEM) THREAT USER ANALYSIS (INTERVIEW TARGETED USER, CONTEXT, TRIGGERS, RECENT UNUSUAL ACTIVITIES/ALERTS) THREAT RESEARCH ANALYSIS (ONLINE SEARCH FOR SIMILAR THREATS, PROFESSIONAL FORUMS, VENDOR ENGAGEMENT) PUBLIC 1 2 3 4 5 {elysiumsecurity} cyber protection & response 4. INVESTIGATION GOING FURTHERRESPONSECONTEXT
  • 10.
    10 THREAT NETWORK REMEDIATION (BLOCKIP, PORTS, DOMAINS, EMAILS. UPDATE F/W, IDS, APT AND SIEM RULES) THREAT MALWARE REMEDIATION (UPDATE HOST AND NETWORK A/V SIGNATURES. ENGAGE WITH VENDORS THAT DID NOT DETECT THE THREAT) THREAT HOST REMEDIATION (REMOVE/BAN INFECTED APPS/PLUGINS, CLEAR INBOX RULES, REMEDIATE ISSUES FOUND DURING THE VA) THREAT USER REMEDIATION (INDIVIDUAL AND GROUP USER AWARENESS SESSION RELEVANT TO THE THREAT) DECLARE THE INCIDENT REMEDIATED PUBLIC 1 2 3 4 5 {elysiumsecurity} cyber protection & response 5. REMEDIATION GOING FURTHERRESPONSECONTEXT
  • 11.
    11 ON GOING REPORTING (DOCUMENTATIONAND EVIDENCE SHOULD BE GENERATED AS MUCH AS POSSIBLE DURING THE PREVIOUS PHASES) EVIDENCE GATHERING (THREAT ACTORS, ATTACK VECTORS, ATTACK SURFACE) INCIDENT DOCUMENTATION (THREAT AND INCIDENT DETAILS, TRIGGERS, OWNER, FINDINGS, TIMELINE) INCIDENT REGISTER (CREATE/UPDATE AN OVERALL INCIDENT REGISTER TO TRACK PROGRESS AND GENERATES STATISTICS. CAN BE LINKED TO OTHER REGISTERS: RISKs/ISSUES) INCIDENT REPORT COMMUNICATION (AS REQUIRED: INTERNAL/EXTERNAL, STAFF/MANAGEMENT/BOARD, VENDORS/CLIENTS, GOVERNMENT/REGULATORS) PUBLIC 1 2 3 4 5 {elysiumsecurity} cyber protection & response 6. REPORTING GOING FURTHERRESPONSECONTEXT
  • 12.
    12 ROOT CAUSE ANALYSIS (IDENTIFYAND DOCUMENT INCIDENT TRIGGERS AND SECURITY GAPS THAT ENABLED THE INCIDENT TO OCCUR) CONTROLS AND PROCESSES READINESS (EVALUATE THE EFFICIENCY OF CURRENT SECURITY CONTROLS AND PROCESSES IN LIGHT OF THE INCIDENT) INCIDENT TRENDS ANALYSIS (ARE YOU LEARNING FROM PAST INCIDENTS? IS YOUR RISK PROFILE CHANGING?) MITIGATION PLAN (MITIGATE IMPACT OF SIMILAR FUTURE INCIDENTS) IMPROVEMENTS PLAN (STOP OCCURRENCE OF SIMILAR FUTURE INCIDENTS) PUBLIC 1 2 3 4 5 {elysiumsecurity} cyber protection & response 7. LEARNINGS GOING FURTHERRESPONSECONTEXT
  • 13.
    13 ANALYSIS PUBLIC CONTAINMENT/REMEDIATION NETWORK • BLOCK IP/PORTS/SERVICES; •BLOCK EMAIL; • CHANGE PWD MALWARE HOST • UPDATE A/V AND F/W RULES; • REMOVE MALWARE/SERVICES; • CHANGE PWD. • REMOVE SOFTWARE/PLUGIN; • UPDATE SECURITY CONFIGURATION; REMOVE SERVICES/LOCAL ADMIN. {elysiumsecurity} cyber protection & response GENERIC RESPONSE PLAYBOOK GOING FURTHERRESPONSECONTEXT
  • 14.
    14 Forum of IncidentResponse and Security Teams (FIRST) FRAMEWORK (https://www.first.org/education/FIRST_SIRT_Services_Framework_Version1.0.pdf) National Institute of Standards and Technology (NIST) Special Procedure (SP) 800-61 (https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-61r2.pdf) International Organization for Standardization (ISO) ISO/IEC 27035-1:2016 (https://www.iso.org/standard/60803.html) International Organization for Standardization (ISO) ISO/IEC 27035-2:2016 (https://www.iso.org/standard/62071.html?browse=tc) CONTACT US! (contact@elysiumsecurity.com) PUBLIC {elysiumsecurity} cyber protection & response RESOURCES GOING FURTHERRESPONSECONTEXT
  • 15.
    {elysiumsecurity} cyber protection &response © 2015-2019 ELYSIUMSECURITY LTD ALL RIGHTS RESERVED HTTPS://WWW.ELYSIUMSECURITY.COM ABOUT ELYSIUMSECURITY LTD. ELYSIUMSECURITY PROVIDES PRACTICAL EXPERTISE TO IDENTIFY VULNERABILITIES, ASSESS THEIR RISKS AND IMPACT, REMEDIATE THOSE RISKS, PREPARE AND RESPOND TO INCIDENTS AS WELL AS RAISE SECURITY AWARENESS THROUGH AN ORGANIZATION. ELYSIUMSECURITY PROVIDES HIGH LEVEL EXPERTISE GATHERED THROUGH YEARS OF BEST PRACTICES EXPERIENCE IN LARGE INTERNATIONAL COMPANIES ALLOWING US TO PROVIDE ADVICE BEST SUITED TO YOUR BUSINESS OPERATIONAL MODEL AND PRIORITIES. ELYSIUMSECURITY PROVIDES A PORTFOLIO OF STRATEGIC AND TACTICAL SERVICES TO HELP COMPANIES PROTECT AND RESPOND AGAINST CYBER SECURITY THREATS. WE DIFFERENTIATE OURSELVES BY OFFERING DISCREET, TAILORED AND SPECIALIZED ENGAGEMENTS. ELYSIUMSECURITY OPERATES IN MAURITIUS AND IN EUROPE, A BOUTIQUE STYLE APPROACH MEANS WE CAN EASILY ADAPT TO YOUR BUSINESS OPERATIONAL MODEL AND REQUIREMENTS TO PROVIDE A PERSONALIZED SERVICE THAT FITS YOUR WORKING ENVIRONMENT.